The LOD/H Technical Journal: File #2 of 10


----------------------------
    The Networked UNIX
         :TCP-IP
 by:
       SOLID STATE
       June 23 1987
----------------------------

PREFACE

  I've written this article with the assumption that those reading it have a
working knowledge of UNIX and large networks, specifically the DARPA Internet
-- ARPAnet and MILnet. Within I offer guidance on features of the TCP-IP
(Internet Transmission Control Protocol) architecture, such as FTP, TFTP,
TELNET, SMTP, and the UNIX Remote Execution Facilities. Before I commence, I
want to make it known that this file is not intended to be a 'why' file, but
instead a 'how to' tutorial. In the event I get a good response concerning
this document, I may later release a more technical oriented paper from a
programmer's viewpoint.

  NOTE: Instances where I give examples of a command format, words in
capital
represent variables. For example, in the line '$ telnet HOST', HOST should be
replaced (in LOWERCASE!) by the name of a system. This is just my means of
distinguishing between actual commands and their options.
  Control characters are denoted in the form of an exponent, eg. ^H is
control H.

YP DATABASE

  Present on every UNIX that supports TCP-IP are a set of files labeled by
programmers as the yellow pages, that serve as a directory of the hosts and
networks accessible by your system. These files are /etc/hosts and
/etc/networks respectively. There may also be a third, /etc/hosts.equiv which
is a listing of those hosts that share resources and/or have users common to
each other. They are ASCII text and have viewable permissions to all.
Therefore it may prove helpful to print these out for reference and easy
access. Entries in the above mentioned take the form:

###.###.###.###     host.owner.research   nicknames

Example:

18.72.0.39          athena.mit.edu   mit-athena athena

  The string of numbers, expressed in octal "dot notation", is the NetNumber
of the host. Followed by the complete name, and lastly other names which it
is
universally known as. When attempting to access a system, any one of these
identification codes may be used.
  NOTE: Most of the databases one will come across are incomplete or may be
outdated. A complete host list can be obtained from the Network Information
Control Center (NIC) at SRI International, the host name is sri-nic.arpa

TELNET

  Telnet is the standard facility used for logging into other systems. It is
found not only on UNIX, but TOPS, VMS, and all the other various operating
systems found on the DDN. To activate the program:

% telnet HOST [PORT]

  If invoked without arguments, it enters command mode, indicated by the
prompt 'telnet>' From here, many functions are available.

open HOST [PORT]
  Open connection to named computer. If PORT, which shall be explained
subsequently, is ommitted then telnet will contact the TELNET server of that
host. As earlier mentioned, systems can be addressed by either their
NetNumber, NetName, or a nickname.

close
  Close connection and return to command mode.

quit
  End session and exit program.

status
  Show current status of telnet. ie. connections and toggled options.

z
  Suspend telnet. This allows you to operate an interactive shell on the
local machine while pending an open connection to a remote host.

? COMMAND
  Get help on COMMAND. Or if COMMAND is ommitted, then a summary of all
options is printed.

  Once a connection has been established, telnet enters input mode where you
can communicate directly with the remote. To return to command mode, enter ^]
A hacking session might look like:

% telnet ucbvax.berkeley.edu
Trying 10.2.0.78 ...
Connected to ucbvax.berkeley.edu.
Escape character is '^]'.

4.3 BSD UNIX (ucbvax.Berkeley.EDU)

login: example
Password: ^D
Connection closed by foreign host.
%

PORTS

  Each host on the Internet runs various daemons to perform tedious upkeep
jobs like recording logs, mounting disks and on UNIX, cleaning uucp and /tmp
files. Along with the 'normal' daemons is one ran to accomodate communication
between a host and its peers on a network. inetd the managing daemon of
system
to system communication has a number of various services which it regularly
uses, but they can also be manually addressed via telnet. The notation,
predisplayed, is simply:

% telnet HOST PORT

OR

telnet> open HOST PORT

  Now each service has a port number associated with it. The number is
decimal, in the range 0-1023. A database of all active services is located in
the ASCII text file /etc/services
  From a hacker's view the following are very helpful in the process of
penetrating a system:

79        Finger server. Connecting to this will give a systat report similar
to one a user would get if he was on the target system and issued the finger
command. Once connected to port 79, the host will sit idle until one of two
things: Either a return is pressed and a general finger will result, or a
username is entered where personal info will outcome.

% telnet psuvax1.psu.edu 79
Trying 128.118.6.2 ...
Connected to psuvax1.psu.edu.
Escape character is '^]'.

Login       Name              TTY Idle    When            Office
opr      The Operator          co      Sat 19:02  334  Whitmo  x5-9723
hager    William W. Hager      d1      Sat 18:50              237-8876
georg    Georg Schnitger       22 1:32 Sat 18:42  315  Whitmo  x5-1406
malik    Sohail Malik          p0  18  Sat 19:16  214c  Compu  x5-0816
Connection closed by foreign host.
%

11        Systat server. This can not be issued to target UNIX systems, but
is
applicable to VMS and TOPS where it returns data like that from finger.

25        SMTP server. This is the server used for mail among systems. It is
also the most vulnerable port to attack as it can be easily fooled. With this
knowledge the hacker can assume any identity he wishes through mail. For
example, to send mail to [email protected] from [email protected], under
normal
circumstances one would have to possess the root account wherefrom he would
just enter:

% mail [email protected]

  But this is not always feasible or possible! So we must resort to an
indirect, devious approach..

% telnet cc3.bbn.com 25
Trying 8.3.0.5 ...
Connected to cc3.bbn.com.
Escape character is '^]'.

220 cc3.bbn.com. Sendmail 3.2/SMI-3.2 ready at Fri, 28 Feb 87 17:40:53 PST

rcpt to: guest
250 guest... Recipient ok
mail from: [email protected]
250 example... Sender ok
data
354 Enter mail, end with "." on a line by itself

This is an example of the SMTP port.

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.